Tesla cryptojacked by currency miners

Post navigation

Tesla’s Amazon Web Services (AWS) cloud account was broken into by hackers who suckled at its computer power for cryptocurrency mining, according to security researchers at RedLock.

The researchers said on Tuesday that the hackers managed to get into the administration console for Tesla’s Kubernetes account because it wasn’t password-protected. Kubernetes is an open-source system designed by Google for optimizing cloud applications.

Once they were in, they found access credentials for Tesla’s AWS environment. They also got at an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive telemetry data related to Tesla cars.

To mine cryptocurrency – the researchers didn’t say what kind or how much the hackers got – the attackers hid the true IP address of a mining-pool server behind an IP address hosted by CloudFlare, a free content delivery network.

RedLock says it immediately reported the issue to Tesla, which quickly scrubbed itself clean of the infection. Tesla sent a statement to media outlets in which it said that it hadn’t uncovered any sign of customer privacy or vehicle safety or security having been compromised:

We maintain a bug bounty program to encourage this type of research, and we addressed this vulnerability within hours of learning about it. The impact seems to be limited to internally-used engineering test cars only, and our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way.

RedLock said that the Tesla attack is similar to those it’s discovered in the past few months targeting Aviva, a British multinational insurance company, and Gemalto, the world’s largest manufacturer of SIM cards.

RedLock said that Tesla, Aviva and Gemalto all had at least one thing in common: Kubernetes consoles accessible to anybody on the internet, all lacking password protection. In fact, the researchers said they found hundreds of such unprotected consoles.

Within the past few months, cryptomining has cropped up on at least a couple of sites, such as The Pirate Bay and Salon, that are purposefully doing it to make money they say they can’t get through advertising.

Unauthorized cryptomining, known as cryptojacking has shown up in unexpected places: a recent example simultanteously infected numerous government websites in at least the US, the UK and Australia, when a third-party service that they all used for text-to-speech conversion got hacked.

Did the franchise do it on purpose? Or was it victimized by cryptojackers? Most of the time, cryptojacking is intentional, Naked Security’s Paul Ducklin told Wired at the time of the Starbucks incident:

It’s hard to guess the motivation of an unknown website operator, but based on an analysis of our detection data for the month of November [2017], most coinmining sites were doing it on purpose, and a significant majority were taking all the CPU they could get.

As we noted with Salon’s “turn off your adblocker or get to work mining for us,” you’ll probably have have a tough time making money from browser-based cryptomining.

Even Coinhive, a website dedicated to providing cloud-based cryptomining services for a 30% cut of the take, admits that your takings are likely to be modest: a site with 1,000,000 page visits a month, each of which lasts a full five minutes, none of which are from mobile devices, and where visitors are forced to mine all the time they’re on the site, is only going to pull in about 0.27 Monero a month – currently about $100.

How much cryptocoin does unauthorized sipping off an AWS get you?

It doesn’t matter. It’s illegal.

Come up with a different hobby rather than go down that route, and while we’re all on the topic, make sure to password-protect those Kubernetes consoles!